CDA query parameter not parsed when query params are reordered
Environment
LemonLDAP::NG version: 2.0.9
Web server: Apache
Summary
I use a reverse proxy which reorders query parameters (some WAF do this too).
- Setup test1.example.com to be CDA
- Browse to http://test1.example.com/?action=login
- Handler redirects to http://auth.example.com/?url=base64(http://test1.example.com/?action=login)
- Portal redirects to http://test1.example.com/?action=login&lemonldapcda=XXX
- Reverse proxy rewrites it to http://test1.example.com/?lemonldapcda=XXX&action=login
- Handler is unable to extract CDA code and redirects to portal again
Logs
in Lib/CDA.pm
if ( $uri =~ s/[\?&;]${cn}cda=(\w+)$//oi ) {
can only match if the cda code is at the end of the URL
Possible fixes
We should rewrite this regexp to handle query params in a more robust way.